GDPR - What you need to know!
With the General Data Protection Regulation (GDPR) on the horizon, many employers will need to ensure that they are compliant by May 25, 2018. We walk you through GDPR, offering advice to ensure that you are compliant when the deadline arrives.
So what is GDPR?
The General Data Protection Regulation (GDPR) is a now the legal framework whereby member states must treat and protect personal data. It will replace the current Data Protection Act 1998 (DPA), and is likely to be adopted post Brexit given recent statements by the UK’s Information Minister.
To date, GDPR is seen as the strictest framework in the world. Under the regulation, the cost of non compliance could become a reality for many employers who neglect to take the necessary steps to ensure that they have followed the correct procedures and best practice. The regulation sets a 4 percent administrative fine, based on worldwide revenues, for non compliance. For other breaches, the authorities could impose fines on companies of up to 2 percent of global annual turnover, whichever is greater.
Steps employers should take towards compliance
Although new legislations are often perceived as yet another band of red tape in an employer’s worst nightmare, the good news is that if you are compliant with the current data protection act, you will have a good foundation to build towards becoming GDPR compliant. Below are some steps you can take now!
1. Raise Awareness
You should ensure that decision makers and key people in your organisation are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have and identify areas that could cause compliance problems under GDPR. You should particularly use the first part of the regulation’s two-year lead-in period to raise awareness of the changes that are coming. You may find compliance difficult if you leave your preparations until the last minute.
2. Document the information you hold
Because GDPR updates rights for the networked world, employers will need to document what data they hold, where it came from and who they share it with. For this reason, it may be worthwhile to conduct an information audit across the organisation or within personal areas of the business.
If you have inaccurate personal data and have shared this with another organisation, you will have to tell the other organisation about the inaccuracy so it can correct its own records. This means that all personal data must be documented. The process will also enable you to comply with the GDPR’s accountability principle, which requires organisations to be able to show how they comply with the data protection principles.
3. Be mindful of how you communicate privacy information
Under the GDPR you will need to explicitly explain in writing your legal basis for processing the data, your data retention periods. Alternatively, data subjects have a right to complain to the ICO if they think there is a problem with the way you are handling their data. Note that the GDPR requires the information to be provided in concise, easy to understand and clear language.
4. Appreciate the individual's rights
Under GDPR, the main rights for individuals will be:
- Subject access,
- To have inaccuracies corrected,
- To have information erased,
- To prevent direct marketing,
- To prevent automated decision-making and profiling, and
- Data portability
On the whole, the rights individuals will enjoy under the GDPR are the same as those under the DPA but with some significant enhancements. If you are geared up to give individuals their rights now, then the transition to the GDPR should be relatively easy.
The right to data portability is new. This is an enhanced form of subject access where you have to provide the data electronically and in a commonly used format. Many organisations will already provide the data in this way, but if you use paper print-outs or an unusual electronic format, now is a good time to revise your procedures and make any necessary changes.
5. Subject access requests
The rules for dealing with subject access requests will change under the GDPR. In most cases you will not be able to charge subjects for complying with a request and commonly have just one month to comply, rather than the current 40 days. In addition, you will need to provide additional information to people making requests, such as your data retention periods and the right to have inaccurate data corrected.
6. Legal basis for processing data
Under the GDPR, the rights of certain individuals will be modified depending on your legal basis for processing their personal data. The most obvious example is that subjects will have a stronger right to have their data deleted where you use consent as your legal basis for processing. You will also have to explain your legal basis for processing personal data in your privacy notice and when you answer a subject access request. Documenting this this will help you comply with the GDPR’s ‘accountability’ requirements.
7. Focus on consent
The consent threshold has been raised. Data processors will now have to receive ‘consent’ or ‘explicit consent’ by the data subject regarding how their personal data is used, distributed and retained. Employers should review how they are seeking, obtaining and recording consent and whether you need to make any changes. Like the DPA, the GDPR has references to both ‘consent’ and ‘explicit consent’. The difference between the two is not clear given that both forms of consent have to be freely given, specific, informed and unambiguous. Consent also has to be a positive indication of agreement to personal data being processed – it cannot be inferred from silence, pre-ticked boxes or inactivity.
8. Data breaches
A data breach where the victim is likely to suffer some form of damage – such as identity theft or a confidentiality breach - must be reported to the ICO within 72 hours of infiltration. The DPO will need to provide information on when the leak happened, who was affected and what is being done to remedy the issue. You need to ensure that you have the right procedures in place to detect, report and investigate a personal data breach. This could involve assessing the types of data you hold and documenting which ones would fall within the notification requirement if there was a breach.
9. Data impact assessments
Although a privacy by design and data minimisation approach has always been an implicit requirement within the data protection principles, under the GDPR it will become an express legal requirement. You should familiarise yourself now with the guidance the ICO has produced on Privacy Impact Assessments (PIAs) and work out how to implement them in your organisation. This guidance shows how PIAs can link to other organisational processes such as risk management and project management. However, a PIA will only be required in what is deemed as high-risk situations under the GDPR, such as new technology being deployed or where a profiling operation is likely to significantly affect individuals. You will be required to consult the ICO to seek its opinion as to whether the processing operation complies with the GDPR.
10. Data protection officers
Under GDPR, It will be compulsory for public sector bodies, private sector controllers whose core activities consist of processing operations that require ‘regular and systematic monitoring of data subjects on a large scale’ and private sector controllers whose core activities consist of processing sensitive personal data to appoint a Data Protection Officer (DPO). The DPO will need to act independently, being empowered to report directly to board of directors.
You can find the ICO’s full Employer's guide here!
Need a job? We can help!
There is no doubt that the GDPR will have an impact across a variety of different industries. At Search, we have a team of dedicated recruitment specialists who have a proven track record of finding highly skilled and experienced candidates to meet the demands of the market. If you're looking to recruit a cyber security or compliance expert to help you adjust to GDPR, you can contact Philip Piper on [email protected].
For skilled candidates seeking employment, you can check out our vacancies here!
You may also like: